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Purpose 


Provide  an  overview  on  assessment  approach 
for  Cyber  based  critical  infrastructure  security 
controls  to  protect  against  threats  to  the 
security,  safety  and  survivability  of  critical 
infrastructure  cyber  assets,  related  services  and 

processes. 
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Session  Learning  Objectives 


Understand  what  “Critical  Infrastructure”  and  “Cyber  (Physical)  System”  are 

Understand  the  challenges  and  issues  related  to  the  cyber  security 

Understand  applicable  cyber  security  standards 

Explore  the  cyber  security  assessment  approach 

Review  the  test  techniques  and  tools  for  vulnerability  assessment 
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INTRODUCTION 
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“The  revolution  in  communications  and  information 
technologies  have  given  birth  to  a  virtual  world. . .  Cyberspace 
is  real  and  so  are  the  risks  that  come  with  it. 


It’s  the  great  irony  of  our  Information  Age  -  the  very 
technologies  that  empower  us  to  create  and  build  also 
empower  those  who  would  disrupt  and  destroy.” 


President  Obama 

Remarks  by  the  President  on  Securing  our  Nation  s  Cyber  Infrastructure 

May  29,  2009 

http://www.whitehouse. gov/the  press  office/Remarks-by-the-President-on-Securing- 

Our-N  ations-Cyber-Infrastructure/ 
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Critical 

nfrastructure 

/Assets 


N 


A 


. . .  Those  facilities ,  systems,  and  equipments  if  destroyed, 
would  have  a  debilitating  impact  on  security,  health  and 
safety  essential  for  functioning  of  a  society  and  economy 

—  USA  Patriot  Act  (P.L.  107-56) 


Oil  «fc  Gas  Chemical 


Healthcare  Retail 


Sh  ipping  T  ransportation 


Civil  Services  Manufacturing 


. 

Electric 


Agriculture 


Defense 


Emergency 

Management 


Nuclear 

P 


1  Food  &  Water 


1 

I 


i  Communications 
Services 


Critical  Infrastructures  are  public  and  private  institutions 
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http://www.dhs.gov/xlibrarv/assets/nipp-ssp-energv-redacted.pdf 


Huge  interdependencies  across  economy  that  we  do  not  understand, 
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Cyberspace 


is  the  non-physical  terrain  created  by  computer 
systems.  Anything  related  to  the  Internet  also 
falls  under  the  cyber  category. 

httv://www.  webopedia.  com/TERM/C/cyber,  html 


Is  composed  of  interconnected  computers, 
servers,  routers,  switches  and  fiber  optic  cables 
in  which  online  communications  takes  place 
using  Internet  technologies 


is  typically  designed  as  a  network  of  interacting 
elements  with  physical  input  and  output  instead 
of  as  standalone  devices 

http://en.  wikivedia.  oni/wiki/Cyber-physical  system 


Cyber  =  Enabling  of  Internet  technologies 
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Information  System 


Cyber  System 


Users 

Infrastructure  Controls 

r  N 

Users 

L - J 

Software 

X 

Software 

L  v 

Platform 

j 

Platform 

X  ^ 

Infrastructure 

h - > 

f  A 

Infrastructure 

X 

Infrastructure  Controls 


Critical  infrastructures  rely  upon  physical  and  cyber-based  systems  for  their  daily  operations 
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Generic  Industrial  Control  System  Network  Architecture  -  SC  AD  A 


http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf 


Critical  Infrastructure  using  Industrial  Controls 
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SYNCHING-UP  WITH  TECHNOLOGIES: 
CYBER  SECURITY  ISSUES  AND 

CHALLENGES 
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i^Jy  stems  &  So, 


k^Wys terns  &  Software 
Technology  Conference 


Emerging  Trends 


•  Transforming  from  paper-based  to 
digital 

•  Isolated  control  devices  to  real-time 
intelligent  processors 

•  Rapid  integration  of  COTS  and  IT 
products  and  systems 

- 

Increasing  connectivity  among 

infrastructure  control  systems  and 
information  management  system 

Increasing  access  to  infrastructure 
assets  via  Internet  based  technologies 


Increasing  concerns  to  Privacy 


Emerging  Threats 


Increase  in 


malicious  physical  attack 


increase  in  Spyware.  Key  loggers,  Trojans 


Decrease  in  Time  to  Exploit 
Vulnerabilities 


Increase  in  welt  organized  Cyber  Crime 
Professionals 


) 

] 

) 

) 


Increase  in  use  of  unauthorized 
exploitation  of  standardized  asset 

Increase  in  Network  Threat  Tools 


And  Increasing 
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Caused  By 


There  are  many  different  agents  and  with  varying  motivations  in  the  cybersecurity  domain. 
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Growth  of  network  threat  tools  have  changed  threat  environment  forever. 
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Synching-up  with  Technologies-4 


Causing  loss  of  control  and  communications  in 


Transport  Media 

•  Routers,  Switches,  Antenna,  Towers, 
Conduits 

Protocols 

•  Standard,  Proprietary 

i — 

Gateways 

s 

•  Proxy  Servers,  Firewalls 

i _ 2 

K 

Systems 

•  Cyber  Systems,  Cyber  Physical 
Systems 

A 

*  -  ~ * 

Field  Devices 

•  Sensors,  Meters,  IEDs,  Relays,  RTUs 

Storage 

e _ , 

•  Database,  Files 

1 - - - , 

Growth  of  cyber  technologies  have  changed  threat  environment  forever. 
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Synching-up  with  Technologies-5 


Creating  Impacts  on 


Economic 

Uncertainty 


Accurate  Data 
Management 


Customer 

Confidence 


And  Numerous  Cascading  Effect  because  of  Domain  Interdependencies 
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Synching-up  with  Technologies-6 


Having  Statistics 


How  has  the  severity  of  cybersecurity  incidents* 
at  your  agency  changed  in  the  last  year? 


severe  severe  same  severe  severe 


Inability  to  protect  the  critical  infrastructure 
What  are  the  most  significant  security  threats  to  your  organization  today? 


http://webobiects.cdw.com/webobiects/mecli 

a/pdf/Newsroom/2009-CDWG-Federal- 

Cybersecurity-Report-1109.pdf 


http://www.ponemon.orR/local/upload/fckiail/generalcontent/18/fil 

e/CA%20Securitv%20Mega%20Trends%20White%20Paper%20FINAL 

%202%20%282%29.pdf 
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Synching-up  with  Technology-7 


' 

Because  of  Gaps  in  Technology  Assessment 


Knowledge  of  attack 
vectors  used  by 
attackers 


Ability  to  identify  the 
actual  perpetrator 


Security  controls 
assessment  guidelines 


Measurement  guidelines 
for  security  assessment 


Skills  to  perform 
security  controls 
assessments 


Organizational 
uniformity  in  security 
assessment  planning 


V 


Investing  in  Security  Assessment  is  NOT  an  Option  BUT  a  Necessity 
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CYBER  SECURITY  REQUIREMENTS 
AND  CONTROLS 
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Security 


•  Confidentiality 

•  Integrity 

•  Availability 


Safety 


•  People 

•  Assets 

•  Nature 


Survivability 


•  Reliable 

•  Responsive 

•  Resilient 


To  Support  Infrastructure  Protection 


r~ 


National  Security 


Individual  Security 


Societal  Stability  and  Security 


j 

a 


J 

A 


r 


v_ 

r~ 


Economic  Stability  and  Security 


Critical  Infrastructure  Security/Continuity  and 


The  Preservation  of  Natural  Resources  and  the  Environment. 


To  build  Trust  and  Confidence  in  system  environment 
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Following  Applicable  Security  Standards 


Federal 


FISMA 


DIACAP 


NIST 


<more...> 


Industry 


HIPAA 


PCI 


SOX 


<more...> 


Critical  Infrastructure 


NERC 

FERC 

L_ 

CFATS 

r 

NIST  Cyber-Grid 

I 

ISA-99 

<more...> 

International 


iso 


ITU 


<more...> 


Private 


SANS  - CAG 


OASIS 


OWASP 


<more...> 


And  Growing  Day  by  Day.. 
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Cyber  Security  Standards 


Cyber  System  Security 
Standards 


OASIS 


OWASP 

< _ / 


+ 


Applicable  Industrial 
Sector  Standards 


/ 

m  m 

NERC-CIP 

/ 

NIST-Cyber  Grid 

r 

-  - 

Chemical 

J 

' 

s 

Nuclear 

- * 

r 

<  mam 

Transportation 

J 

r 

ISA-99 

f  N 

Cyber  Physical 
System  Security 
Standards 

l _ y 


Cyber  security  standards  can  be  used  to  help  identify  problems  and  reduce  the  vulnerabilities  in  a  control  system 
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L 


Management 

_ 


Technical 


Risk 

Assessment 


Business 

Continuity 

Planning 


Disaster 

Recovery 

Planning 


Incident 

Management 


Awareness  & 
Training 


Security 

Assessment 


C&A 


—  Identification 


—  Authentication 


—  Access  Control 


—  Accounting 


—  Auditing 


System 

Protection 


Communication 

Protection 


Encryption 
and  Key 
Management 


Operational 


Physical 

Protection 


Environmental 

Protection 


Personnel 

Security 


Communication 

Protection 


Configuration 

Management 


Media 

Protection 


Incident 

Response 


Monitoring 


Risk 

Assessment 


Physical 

Access 


Media  Access 


Remote  Access 


Environmental 

Controls 


Suspicious 

Activities 


Maintenance 


IDS  and  IPS 


Patch 

Management 


Change 

Management 


Guide  to  Industrial  Control  Systems 
(ICS)  Security  at 

http://csrc.nist.gov/publications/drafts 

/800-82/draft  sp800-82-fpd.pdf 


> 

| 

Infrastructure 

Specific 

>  A _ 

> 

Physical 

Locations 

f  > 

> 

Critical  Assets 

Classification 

v  J 

f  > 

Control 

Center/Room 

k.  J 

r  \ 

Control 

Devices 

V  J 

r  ^ 

Proprietary 

Systems 

v  J 

r  > 

Proprietary 

Protocols 

v  J 

f  s 

Inter  - 

Dependencies 

To  build  Trust  and  Confidence  in  system  environment 
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IS0 17799 

AP1 1164 

IEEE  1402 

AGA  Report  No.  12f 

NERC  Security  Guideline 

NERC  1200 

ra 

O 

O 

O 

oc 

ill 

ISA  TR99-01 

ISA  TR99-02 

PCSRF 

IEC  62210 

IEC  62351 

Availability 

v'' 

ACCESS  CONTROL 

Business  requirements  for 
access  control. 

User  access  management. 

v' 

✓ 

s 

v' 

User  responsibilities. 

v' 

s 

y' 

Network  access  control. 

✓ 

s/ 

v" 

■s 

V 

Operating  system  access 
control. 

✓ 

Application  access  control. 

V 

Monitoring  system  access 
and  use. 

s/ 

Mobile  computing  and 
teleworking  considerations. 

Field  Device  Access 

http://www.oe.energy.gov/DocumentsandMedia/Summarv  of  CS  Standards  Activities  in  Energy  Sector.pdf 

A  summary  of  controls  for  Energy  sector 
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CYBER  SECURITY 
ASSESSMENT  FRAMEWORK 
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Assessment  Objectives 


Cyber 

Security 

Assessment 


The  test  and  evaluation  of  the  cyber  system 
security  controls  to  determine  the  extent  to 
which  the  controls  are  implemented  correctly, 
operating  as  intended,  and  producing  the 
desired  outcome  with  respect  to  meeting  the 
security  requirements  for  the  system 


»  Ensure  the  confidentiality,  integrity  and  availability  of  the  data 
•  Ensure  safety  of  people,  assets  and  natural  resources 


•  Ensure  compliance  to  legislative  and  regulatory  Standards 


Ensure  protection  against  security  vulnerabilities  and  threats 


Identify  problem  areas  and  provide  reasonable  options 
Ensure  cyber  infrastructure  is  reliable,  recoverable  and  resilient 


Develop  the  business  case  for  cyber  security  assessment  that  will  enhance  infrastructure  security. 
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k^Jy stems  &  Software 


Cyber  Security  Assessment- 1 


Technology  Conference 


Cyber  Security  Controls  Assessment  Life  Cycle  -  l4M 


Plans  & 
Processes 


Facility  Layout 


IT/IC  Layout 


Network 

Topology 


Security 

Standards 


l  2  : 

3 

4 

5 

' 

*  j 

> 

\ 

v  < 

V 

Planning 


Identify  Investigate  Monitor 


Infrastructure 

Critical  Cyber 

r 

Documents 

Assets 

Security  “State” 


Security 

Operation 


Assessment  Plan 


Security 
Implementation 
Review  Report 


Critical  Cyber 
Assets  Report 


Cyber  Security 
Assessment  Report 


Cyber  Security 
Feedback 


Assess  readiness  of  system  and  related  infrastructure  in  accordance  with  security  standards/controls 
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f  1 


Initiate 

_ > 

1 

A 

•  Select/Obtain  sponsorship 

J 

2 

•  Define  objectives 

_ > 

3 

\ 

•  Select  policy  and  guideline 
for  assessment 

J 

4 

\ 

•  Identify  and  gather 
documentation 

_ / 

5 

\ 

•  Develop  Assessment  Plan 

_ ) 

Inspect 


1 

•  Domain  specific  security  policies, 
plans  and  processes 

2 

•  Security  requirements  and 
standards 

3 

•  Layouts  and  configuration  for 
facility  and  environment 

4 

•  ITS  and  ICS  security  controls 
documentation 

5 

•  Disaster  Recovery  and  Incident 
Management  Procedures 

6 

•  Develop  Security  Implementation 
Report 

Plan  and  Gain  an  understanding  of  security  needs 
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Identify 


•  Infrastructure 
Interdependencies 


Develop  Critical  Cyber 
Asset  Report 


Susceptibility  to  Cyber 
attacks  leading  to 


Local  Impacts 


Cascading  Impacts 


Social  Impacts 


y 


Interdependency  Impacts 


Environmental  Impacts 


Economic  Stability  Impacts 


National  Security  Impacts 


Identify  and  rank  all  critical  cyber  assets  from  a  security  perspective 
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Investigate 


•  Input,  output  and  expected 

1 

behavior  of  critical  Cyber  assets 

•  Security  controls  (implemented, 

A 

2 

inherited,  legacy,  hybrid) 

J 

•  Risk  management  based 

\ 

3 

compensating  controls 

; 

•  Redundancy  and  recoverability 

A 

4 

capability 

J 

5 

•  Resources  and  time  to  repair 

\ 

J 

m  f 

•  Develop  Cyber  Security 

\ 

6 

Assessment  Report 

J 

For  Threats 

k _ _ _ _ _ J 


Natural 


Earthquake 


Storm  and 
Lightning 


Fire 


■■ 

Human 

<  > 

Computer 

Abuse 

Interception 
&  Spoofing, 
Hacking 

f  > 

Sabotage  or 
Vandalism 

System 

Tampering 

'  > 

Password 

Guessing 

'  > 

Many 
more . 

Understand  and  capture  system  security  view  of  critical  operation 
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Report 


\ 

Monitor 


•  Assessment  of  identified 
critical  assets 

j 

1 

•  Changes  in  security 

Requirements  and  standards 

1 

s. 

1 

•  Security  Controls 

_ J 

> 

2 

•  Analysis  of  the  threats  to  and 

2 

vulnerabilities 

J 

3 

•  Patch  and  configuration 
management 

3 


4 


\ 

•  Recommendations  to  reduce 
vulnerabilities 

_ j 


•  Other  information  essential 
for  the  development  of 
operational  security 


4 

•  Vulnerability  and  incident 
management 

5 

•  Risk  management 

J 

6 

•  Security  66state”  of  Cyber  Assets 

j 

Continuously  monitor  and  report 
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VULNERABILITY  ASSESSMENT 
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f  ~\ 

Objectives 


Build  awareness  -  of 
vulnerabilities  for  Cyber  assets 
and  interdependencies  between 
them 


2 


Ensure  that  security 
vulnerabilities  (internal  and 
external)  are  identified  and 
resolved  in  a  timely  manner. 


3 

■ 


Enable  management  to  make 
informed  decisions  regarding 
implementation  of  security 
controls  and  remediation 
measures 


Using 


Sources 


V 


•  Risk  assessments 

•  Vendor  advisories 

•  System  test  results 

•  System  audit  logs 


f 


Methods 


•  Automated 
vulnerability  scan 

•  Network  mapping 

•  Penetration  testing 
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Vulnerability  Assessment-2 

Following  Applicable  Test  Techniques 


'A 

User  Interface 
Test 


v _ / 


•  Simulate  Web  Browser 

•  URL  Validation 

•  Form  Validation 

•  Field  Validation 

•  Workflow  Validation 

•  SQL  Injection 

•  Cross  Site  Scripting 


r 


Static  Analysis 
Test 


V _ J 


•  Logic  Flow  Check 

•  Memory  Allocation 
Check  * 

•  Data  Type  Check 

•  Data  Variables  Usage 
Check 

•  Buffer  Overflow  Check 

•  Error  Handling  Check 


r  -\ 

Vulnerability 

Test 


V _ J 


Operating  Systems 
Network  Drivers 

Penetration 
Test 

Data  Corruption 
Virus  Detectors 


Software  Libraries 
Software  Applications 
Database 


Network  Servers 
Network  Devices 
Network  Protocols 
Denial-of-Services 
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And  Test  Tools 


Network 

Assessment 


Foundstone 


Network 

Mapping 


NetsTumbler 


Wireless 

Network 

Analysis 


AirSnort 


Host 

Configuration 

Analysis 


Solarwinds 


Traffic 

Analysis 


EtherReal 


Access  Control 


GetAdmin 


Web 

Application 

Scan 


AppScan 


Weblnspect 


Web  Services 
Scan 


SOAPUI 


Database  Scan  Data  Retrieval 
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Cyber  based  critical  infrastructure  assets  are  vulnerable  to  cyber  attacks  because 
of  the  increasing  interdependence  and  automation  of  cyber  systems. 

A  diverse  range  of  measures  are  required  to  bridge  gap  between  technology 
advancement  and  technology  assessment. 

This  presentation  has  provided  an  overview  on  cyber  systems,  and  assessment 
framework  for  the  required  security  controls  to  protect  critical  cyber  assets. 


Lockheed  Martin  is  developing  innovative  approaches  to  test, 
evaluate  and  assess  the  security  posture  of  organizations' 
information  system  and  cyber  system  environment. 
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